Exhausted IT Security Teams Battle Rise of Deepfakes, API Attacks

Emerging threats including deepfakes and attacks on APIs are adding to organizations' security woes, while geopolitically motivated attacks and lateral movement inside networks are on the rise.

These were among the findings in VMware's eighth annual Global Incident Response Threat Report, which discovered lateral movement across a quarter of all attacks.

Cybercriminals are leveraging everything from script hosts (49%) and file storage (46%) to PowerShell (45%), business communications platforms (41%), and .NET (39%) to move through networks.

Defending Against Deepfakes

In addition, malicious actors have turned to deepfakes to evade security controls, with email as the top delivery method.

Related: A New Spin on a Classic Type of Social Engineering Attack

"Deepfakes present a challenge for security leaders, but defending against them is similar to defending against other social engineering attacks — it starts with education," said Rick Holland, CISO and vice president of strategy at Digital Shadows, a provider of digital risk protection solutions.

Holland calls it "a game of cat and mouse" between deepfake authors and deepfake detection technology and said humans will be the last line of defense.

"Educate employees about the threat of deepfakes and how to spot them," he said. "Employees should independently verify communications just as you would on a suspicious email."

Deepfake technology is proving a challenge in multiple ways, and it is still unclear how much of a problem it will be in the cybersecurity space, according to Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of software as a service (SaaS) for enterprise cyber-risk remediation.

"How to combat deepfakes depends on how they're deployed, with user education one part of the puzzle and some process built around verifying sources another," he said.

Impersonation is a key component of phishing and social engineering in general, said John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company.

"If I can initiate a video call as a CFO that looks and sounds like the CFO, I'm able to initiate fraudulent financial transactions," he said. "Every sensitive transaction, financial and otherwise, should be verified with an out-of-band method."

Detecting Lateral Movement

Bambenek also pointed out that lateral movement is present in almost every modern attack — whether it is detected it or not is an open question.

"Rarely do attackers get their final objective in their fast shot at an environment," he explained. "While one would hope an organization's defenses detect lateral movement, there is an entire spreadsheet of MITRE ATT&CK techniques that can't be ignored either."

Related: Ransomware Security for IT Pros

Holland agrees that lateral movement isn't the new battleground — it has been the battleground, with malicious actors "living off the land" using legitimate tools for more than a decade.

"Defenders must have comprehensive visibility to detect actors moving inside their network using legitimate tools," he said.

Burnout a Serious Issue Among IT Security Professionals

The changing nature of the threats and their increasing complexity are increasing burnout among IT security professionals, the study indicated, with nearly half (47%) of the 125 incident responders surveyed admitting they experienced burnout or extreme stress in the past 12 months.

It has been the "year of the breach" for over a decade, and the threat landscape has been particularly overwhelming since the SolarWinds cyber-attack in 2020, Holland said.

"Defenders must get downtime, and leadership must actively work toward this goal," he said. "Managers should lead by example and take time off themselves — don't model taking PTO and then being online, Slacking, and sending emails. Employees should know it is OK to take time off and recharge."

From Bambenek's perspective, there is simply too much work and not enough people to do it.

"As an industry we need to build a talent pipeline and remove any unnecessary barrier to entry," he said. "We also need to embrace safe automation that allows the existing professionals to get more done in less time. Lastly, work-life balance needs to be emphasized — require your security staff to take their PTO."

IT Security Teams Deploying Virtual Patching

VMware's report also indicated responders are using new tactics to combat the onslaught of attacks, with a full three-quarters of respondents saying they deploy virtual patching as an emergency mechanism.

Virtual patching helps fill a gap until a "real" patch can be developed and deployed, according to Parkin.

"It comes under the heading of 'compensating controls' and can be quite effective, though the best defense is keeping the applications secure," he said.

Virtual patching has been around for quite some time, dating back to intrusion prevention systems and web application firewalls, Holland said.

"It is easy to preach from the ivory tower, 'Thou must patch,' but in the trenches, patches aren't always available, and even when they are, it could take time to test and deploy the patches to production," he said. "Any mitigation that buys more time is worth considering."